Keith Smith's Blog - IDM, Engineering, etc.

This post is primarily so I remember how I do every client's AD. The point of saving AD values as Identity Attributes is twofold: first, to indicate if the user has an AD account (this can literally be done for any target, but AD is the one that almost everyone uses for their primary provisioning target). Second, it allows you the OPTION of saving the values for all time, which would allow you to ensure that no duplicates be created.

I create 5 Identity Attributes:

adLogin (AD Login) which derives from sAMAccountName

adEmailAddress (AD Email Address) which derives from mail

adDistinguishedName (AD Distinguished Name) which derives from distinguishedName

adUserPrincipalName (AD User Principal Name) which derives from userPrincipalName

adObjuctGuid (AD Object Guid) which derives from objectguid

Any or all of these can be backed up with a global rule I normally call IdentityAttribute-PersistOldValue whose source is literally return oldValue;

You have to decide on your own which if any are sortable. Make a value sortable if you plan to do a search on it using any search method.

If you use the global rule then your values will not be removed if the user loses their AD Account. Be careful and aware of this.

Subject: Batch Processing in SailPoint

Regarding: Adding responses to a batch process using Run Rule

Creating a TaskDefinition for running a rule is normally performed by the following:

Setup -> Tasks
New Task -> Run Rule

Enter the details such as what you want the rule to be named, description, then the rule to be executed. Save and Run

Once you have done this, you will have a framework TaskDefinition with the following elements:

<Map>

</Map>

</Attributes>

and also:

</Parent>

You may want to output some results. The issue with this is that the Run Rule normally does not have a section for outputs.

To fix this you can add the following elements:

<Prompt>Total users processed</Prompt>

</Argument>

<Prompt>Results:</Prompt>

</Argument>

</Returns>

</Signature>

You also can add this to a clone of Run Rule and use that as a template for new rules. But this does not populate the values.

To populate the values, the following is needed in the rule:

(imports)

import sailpoint.tools.Message;

import sailpoint.tools.Message.Type;

import sailpoint.object.Attributes;

import sailpoint.object.TaskResult;

import sailpoint.object.TaskResult.CompletionStatus;

variables:

int resultCount=0;

String resultString="";

Set these values in your code.

Then just before the return:

if(taskResult!=void) {

taskResult.addMessage(new Message(Message.Type.Info,"Completed Successfully", null));

Attributes resultAttr=new Attributes();

resultAttr.put("totalCount",new Integer(resultCount));

resultAttr.put("resultString",resultString);

taskResult.setAttributes(resultAttr);

taskResult.setCompletionStatus(TaskResult.CompletionStatus.Success);

}

I use a StringBuffer instead of concatenating the resultString, and then set resultString to the toString() result of the StringBuffer.

Inputs:

If you want to add inputs to the Run Rule task definition, you would need to start by pulling the signature inputs from Run Rule. From there you can add fields as you would any TaskDefinition.

For example:

<Prompt>label_rule</Prompt>

</Argument>

<Prompt>label_rule_config</Prompt>

</Argument>

<Prompt>Action</Prompt>

</Argument>

</Inputs>

</Signature>

In the rule you can use the following code to check for action:

String actionStr=null;

if(config.containsKey("action"))

actionStr=config.get("action");

}

then later you can check the value of actionStr

If nothing was entered the value will not be in config

Keith Smith's Blog - IDM, Engineering, etc.

Search This Blog

Sunday, November 8, 2020

SailPoint saving AD values as a secondary auth source

Friday, June 5, 2020

Customizing SailPoint Task Definitions - Run with Response

About Me